[go: up one dir, main page]

CN117134925A - Network programming technology processing method, system and storage medium - Google Patents

Network programming technology processing method, system and storage medium Download PDF

Info

Publication number
CN117134925A
CN117134925A CN202210546405.XA CN202210546405A CN117134925A CN 117134925 A CN117134925 A CN 117134925A CN 202210546405 A CN202210546405 A CN 202210546405A CN 117134925 A CN117134925 A CN 117134925A
Authority
CN
China
Prior art keywords
message
network
network programming
processing
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210546405.XA
Other languages
Chinese (zh)
Inventor
杜宗鹏
李志强
孙滔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Research Institute of China Mobile Communication Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Research Institute of China Mobile Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, Research Institute of China Mobile Communication Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202210546405.XA priority Critical patent/CN117134925A/en
Priority to PCT/CN2023/094748 priority patent/WO2023222028A1/en
Publication of CN117134925A publication Critical patent/CN117134925A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/31Flow control; Congestion control by tagging of packets, e.g. using discard eligibility [DE] bits
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/32Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种网络编程技术处理方法、系统及存储介质,包括:路由器节点收到含有网络编程技术编码的报文,所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行;路由器节点确定所述报文入接口对应的处理芯片的负载状态;在负载大于预定值时,不对含有网络编程技术编码的报文进行处理,在负载小于预定值时,对含有网络编程技术编码的报文进行处理。采用本发明,各个节点根据自身的算力情况决定是否执行相关的任务,可以充分利用网络中的算力能力,节点可以根据自身算力情况,决策是否进行相关的处理,从而提供了一种执行节点更加灵活,且支持执行节点之间相互协同的网络编程机制。

The invention discloses a network programming technology processing method, system and storage medium, which include: a router node receives a message containing a network programming technology code, and the network programming technology code indicates that there are one or more corresponding task requirements. is executed; the router node determines the load status of the processing chip corresponding to the message incoming interface; when the load is greater than the predetermined value, the message containing the network programming technology code will not be processed; when the load is less than the predetermined value, the message containing the network programming technology code will not be processed. Technically encoded messages are processed. Using the present invention, each node decides whether to perform relevant tasks according to its own computing power, and can make full use of the computing power in the network. The node can decide whether to perform relevant processing according to its own computing power, thereby providing an execution method. Nodes are more flexible and support a network programming mechanism that enables collaboration between execution nodes.

Description

一种网络编程技术处理方法、系统及存储介质A network programming technology processing method, system and storage medium

技术领域Technical field

本发明涉及通信技术领域,特别涉及一种网络编程技术处理方法、系统及存储介质。The present invention relates to the field of communication technology, and in particular to a network programming technology processing method, system and storage medium.

背景技术Background technique

传统的IP网络技术主要关注的是将数据报文按照其目的地址,从源节点发送到目的节点,网络可编程技术指的是,允许网络运营商或应用程序通过对IPv6数据包头中的指令序列进行编码。在SRv6中,这些指令(Instructions)通常被称为SID(段ID,Segment ID)。SRv6 SID定义为由LOC:FUNCT:ARG组成,其中locator(LOC)编码在SID的L个最重要的位中,后跟F个功能位(FUNCT)和A个参数位(ARG)。LOC用于定位节点以及路由转发,FUNCT部分用于指定操作,ARG的部分是可选的,有的FUNCT不需要参数。Traditional IP network technology mainly focuses on sending data packets from source nodes to destination nodes according to their destination addresses. Network programmable technology refers to allowing network operators or applications to modify the sequence of instructions in the IPv6 data packet header. Encode. In SRv6, these instructions (Instructions) are usually called SID (Segment ID, Segment ID). SRv6 SID is defined as consisting of LOC:FUNCT:ARG, where locator (LOC) is encoded in the L most important bits of the SID, followed by F function bits (FUNCT) and A parameter bits (ARG). LOC is used to locate nodes and route forwarding, the FUNCT part is used to specify operations, the ARG part is optional, and some FUNCT does not require parameters.

最常用的网络编程是指定数据包的经过的节点。假设S代表源节点IPv6地址,D代表目的节点IPv6地址,那么传统网络中IPv6数据包头主要信息就是<S,D>,在SRv6网络编程中,如果要指定路径,IPv6数据包头主要信息就可以是<S,SIDA><SIDA,SIDB,SIDC,D>,后面的尖括号中记录了数据包需要先到达A,再到达B,再到达C,然后再发给D。此处要求网络中的S,A,B,C,D节点都支持SRv6网络编程。The most commonly used network programming is to specify the nodes through which data packets pass. Assuming that S represents the IPv6 address of the source node and D represents the IPv6 address of the destination node, then the main information of the IPv6 packet header in the traditional network is <S, D>. In SRv6 network programming, if you want to specify a path, the main information of the IPv6 packet header can be <S, SIDA> <SIDA, SIDB, SIDC, D>, the following angle brackets record that the data packet needs to arrive at A first, then B, then C, and then sent to D. It is required that nodes S, A, B, C, and D in the network all support SRv6 network programming.

现有技术的不足在于:目前的网络编程中对于执行操作的节点指定不够灵活。The disadvantage of the existing technology is that current network programming is not flexible enough in specifying nodes for performing operations.

发明内容Contents of the invention

本发明提供了一种网络编程技术处理方法、系统及存储介质,用以解决目前的网络编程中对于执行操作的节点指定不够灵活的问题。The present invention provides a network programming technology processing method, system and storage medium to solve the problem of insufficient flexibility in specifying nodes for performing operations in current network programming.

本发明提供以下技术方案:The present invention provides the following technical solutions:

一种网络编程技术处理方法,包括:A network programming technology processing method, including:

路由器节点收到含有网络编程技术编码的报文,所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行;The router node receives a message containing a network programming technology code, and the network programming technology code indicates that one or more corresponding tasks need to be executed;

路由器节点确定所述报文入接口对应的处理芯片的负载状态;The router node determines the load status of the processing chip corresponding to the message incoming interface;

在负载大于预定值时,不对含有网络编程技术编码的报文进行处理,在负载小于预定值时,对含有网络编程技术编码的报文进行处理。When the load is greater than the predetermined value, the packets containing the network programming technology code will not be processed. When the load is less than the predetermined value, the packets containing the network programming technology code will be processed.

实施中,所述路由器节点确定所述报文入接口对应的处理芯片的负载状态,是参考如下的一个或者多个参数确定的:In implementation, the router node determines the load status of the processing chip corresponding to the packet incoming interface by referring to one or more of the following parameters:

所述报文入接口对应的处理芯片目前的利用率;The current utilization rate of the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文的数量;The number of packets currently being processed by the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文所在的流的速率和。The sum of the rates of the streams where the packets currently being processed by the processing chip corresponding to the packet incoming interface are.

实施中,对含有网络编程技术编码的报文进行处理,包括:During implementation, messages containing network programming technology codes are processed, including:

执行的处理对应了所述的需要被执行的一个或多个任务,一个或多个任务在数据报文中有对应的任务标记;The executed processing corresponds to one or more tasks that need to be executed, and one or more tasks have corresponding task tags in the data message;

修改执行的处理对应的任务的标记,如果路由器节点执行一个任务,那么修改对应的一个任务的标记,如果路由器节点执行了多个的任务,那么修改对应的多个任务标记。Modify the tag of the task corresponding to the executed processing. If the router node executes one task, then modify the tag of the corresponding task. If the router node executes multiple tasks, then modify the tags of multiple corresponding tasks.

实施中,对含有网络编程技术编码的报文进行处理时,若报文中携带信息指示了相关的任务是进行分布式拒绝服务攻击分析,进一步包括:During implementation, when processing packets containing network programming technology coding, if the packet carries information indicating that the relevant task is to conduct distributed denial-of-service attack analysis, it further includes:

根据获取的一个或多个流量模型流量模型,对一种或多种网络流量进行分析,确定是否存在分布式拒绝服务攻击;Analyze one or more types of network traffic based on the acquired traffic model or traffic models to determine whether there is a distributed denial of service attack;

当存在分布式拒绝服务攻击时,根据所述路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理。When there is a distributed denial of service attack, denial of service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the router.

实施中,根据目标路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理,包括:During implementation, denial-of-service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the target router, including:

对一种或多种异常流量进行随机丢包操作和或标记操作,Perform random packet loss and/or marking operations on one or more types of abnormal traffic,

如果执行标记操作,则数据报文中需要包含有可疑或异常标记,用于指示报文是否是可疑或异常报文。If the marking operation is performed, the data packet needs to contain a suspicious or abnormal tag to indicate whether the packet is a suspicious or abnormal packet.

实施中,在进行随机丢包操作或标记操作时,进一步包括:In the implementation, when performing random packet loss operation or marking operation, it further includes:

如果判定流量没有异常,则修改指示希望进行异常检测任务对应的任务标识,指明报文的异常检测任务已完成。If it is determined that there is no abnormality in the traffic, the task identifier corresponding to the anomaly detection task is modified to indicate that the anomaly detection task of the packet has been completed.

实施中,确定是否存在分布式拒绝服务攻击,是在监测到特定协议的网络流量大于流量模型中该协议的阈值流量时,确定存在分布式拒绝服务攻击。In implementation, determining whether a distributed denial-of-service attack exists is when the network traffic of a specific protocol is detected to be greater than the threshold traffic of the protocol in the traffic model.

实施中,在进行标记操作时,进一步包括:In implementation, when performing marking operations, it further includes:

如果判定有异常,则对相关的报文标记为可疑或异常。If it is determined that there is an abnormality, the relevant packets will be marked as suspicious or abnormal.

实施中,所述获取一个或多个路由器节点的流量模型,包括:In implementation, obtaining the traffic model of one or more router nodes includes:

各路由器节点统计自身节点的流量模型,保存在各路由器上;Each router node counts the traffic model of its own node and saves it on each router;

各个路由器节点从其他位置获取供参考的流量模型,并且保存在路由器上。Each router node obtains the traffic model for reference from other locations and saves it on the router.

实施中,所述的网络编程技术编码的任务标记,存储在IPv6报文的扩展头中的逐跳扩展头HBH中或SRv6扩展头中。In implementation, the task mark encoded by the network programming technology is stored in the hop-by-hop extension header HBH or the SRv6 extension header in the extension header of the IPv6 message.

一种网络编程技术处理方法,包括:A network programming technology processing method, including:

在网络的入口路由器节点,按照网络编程技术编码的格式对报文进行标记插入,所述标记代表了对应的操作,所述的操作是对应了一个或者几个在网络中希望执行的任务。At the entrance router node of the network, tags are inserted into the packets according to the format encoded by network programming technology. The tags represent corresponding operations, and the operations correspond to one or several tasks that are expected to be performed in the network.

实施中,在标记插入时,是在IPv6报文的逐跳扩展头HBH中或SRv6扩展头中进行插入的。In the implementation, when the mark is inserted, it is inserted into the hop-by-hop extension header HBH or the SRv6 extension header of the IPv6 message.

一种路由器节点,包括:A router node consisting of:

处理器,用于读取存储器中的程序,执行下列过程:Processor, used to read the program in the memory and perform the following processes:

收到含有网络编程技术编码的报文,所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行;Receive a message containing a network programming technology code, which indicates that one or more corresponding tasks need to be executed;

确定所述报文入接口对应的处理芯片的负载状态;Determine the load status of the processing chip corresponding to the message incoming interface;

在负载大于预定值时,不对含有网络编程技术编码的报文进行处理,在负载小于预定值时,对含有网络编程技术编码的报文进行处理;When the load is greater than the predetermined value, the packets containing the network programming technology code will not be processed; when the load is less than the predetermined value, the packets containing the network programming technology code will be processed;

收发机,用于在处理器的控制下接收和发送数据。Transceiver, used to receive and send data under the control of a processor.

实施中,确定所述报文入接口对应的处理芯片的负载状态,是参考如下的一个或者多个参数确定的:In implementation, the load status of the processing chip corresponding to the packet incoming interface is determined with reference to one or more of the following parameters:

所述报文入接口对应的处理芯片目前的利用率;The current utilization rate of the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文的数量;The number of packets currently being processed by the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文所在的流的速率和。The sum of the rates of the streams where the packets currently being processed by the processing chip corresponding to the packet incoming interface are.

实施中,对含有网络编程技术编码的报文进行处理,包括:During implementation, messages containing network programming technology codes are processed, including:

执行的处理对应了所述的需要被执行的一个或多个任务,一个或多个任务在数据报文中有对应的任务标记;The executed processing corresponds to one or more tasks that need to be executed, and one or more tasks have corresponding task tags in the data message;

修改执行的处理对应的任务的标记,如果路由器节点执行一个任务,那么修改对应的一个任务的标记,如果路由器节点执行了多个的任务,那么修改对应的多个任务标记。Modify the tag of the task corresponding to the executed processing. If the router node executes one task, then modify the tag of the corresponding task. If the router node executes multiple tasks, then modify the tags of multiple corresponding tasks.

实施中,对含有网络编程技术编码的报文进行处理时,若报文中携带信息指示了相关的任务是进行分布式拒绝服务攻击分析,进一步包括:During implementation, when processing packets containing network programming technology coding, if the packet carries information indicating that the relevant task is to conduct distributed denial-of-service attack analysis, it further includes:

根据获取的一个或多个流量模型流量模型,对一种或多种网络流量进行分析,确定是否存在分布式拒绝服务攻击;Analyze one or more types of network traffic based on the acquired traffic model or traffic models to determine whether there is a distributed denial of service attack;

当存在分布式拒绝服务攻击时,根据所述路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理。When there is a distributed denial of service attack, denial of service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the router.

实施中,根据目标路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理,包括:During implementation, denial-of-service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the target router, including:

对一种或多种异常流量进行随机丢包操作和或标记操作,Perform random packet loss and/or marking operations on one or more types of abnormal traffic,

如果执行标记操作,则数据报文中需要包含有可疑或异常标记,用于指示报文是否是可疑或异常报文。If the marking operation is performed, the data packet needs to contain a suspicious or abnormal tag to indicate whether the packet is a suspicious or abnormal packet.

实施中,在进行随机丢包操作或标记操作时,进一步包括:In the implementation, when performing random packet loss operation or marking operation, it further includes:

如果判定流量没有异常,则修改指示希望进行异常检测任务对应的任务标识,指明报文的异常检测任务已完成。If it is determined that there is no abnormality in the traffic, the task identifier corresponding to the anomaly detection task is modified to indicate that the anomaly detection task of the packet has been completed.

实施中,确定是否存在分布式拒绝服务攻击,是在监测到特定协议的网络流量大于流量模型中该协议的阈值流量时,确定存在分布式拒绝服务攻击。In implementation, determining whether a distributed denial-of-service attack exists is when the network traffic of a specific protocol is detected to be greater than the threshold traffic of the protocol in the traffic model.

实施中,在进行标记操作时,进一步包括:In implementation, when performing marking operations, it further includes:

如果判定有异常,则对相关的报文标记为可疑或异常。If it is determined that there is an abnormality, the relevant packets will be marked as suspicious or abnormal.

实施中,所述获取一个或多个路由器节点的流量模型,包括:In implementation, obtaining the traffic model of one or more router nodes includes:

各路由器节点统计自身节点的流量模型,保存在各路由器上;Each router node counts the traffic model of its own node and saves it on each router;

各个路由器节点从其他位置获取供参考的流量模型,并且保存在路由器上。Each router node obtains the traffic model for reference from other locations and saves it on the router.

实施中,所述的网络编程技术编码的任务标记,存储在IPv6报文的扩展头中的逐跳扩展头HBH中或SRv6扩展头中。In implementation, the task mark encoded by the network programming technology is stored in the hop-by-hop extension header HBH or the SRv6 extension header in the extension header of the IPv6 message.

一种路由器节点,包括:A router node consisting of:

接收模块,用于收到含有网络编程技术编码的报文,所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行;A receiving module, configured to receive a message containing a network programming technology code, which indicates that one or more corresponding tasks need to be executed;

负载模块,用于确定所述报文入接口对应的处理芯片的负载状态;A load module, used to determine the load status of the processing chip corresponding to the message incoming interface;

处理模块,用于在负载大于预定值时,不对含有网络编程技术编码的报文进行处理,在负载小于预定值时,对含有网络编程技术编码的报文进行处理。The processing module is used to not process the packets containing the network programming technology code when the load is greater than a predetermined value, and to process the packets containing the network programming technology code when the load is less than the predetermined value.

实施中,负载模块进一步用于确定所述报文入接口对应的处理芯片的负载状态,是参考如下的一个或者多个参数确定的:In implementation, the load module is further used to determine the load status of the processing chip corresponding to the message incoming interface, which is determined with reference to one or more of the following parameters:

所述报文入接口对应的处理芯片目前的利用率;The current utilization rate of the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文的数量;The number of packets currently being processed by the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文所在的流的速率和。The sum of the rates of the streams where the packets currently being processed by the processing chip corresponding to the packet incoming interface are.

实施中,处理模块进一步用于对含有网络编程技术编码的报文进行处理时,包括:During implementation, the processing module is further used to process messages containing network programming technology codes, including:

执行的处理对应了所述的需要被执行的一个或多个任务,一个或多个任务在数据报文中有对应的任务标记;The executed processing corresponds to one or more tasks that need to be executed, and one or more tasks have corresponding task tags in the data message;

修改执行的处理对应的任务的标记,如果路由器节点执行一个任务,那么修改对应的一个任务的标记,如果路由器节点执行了多个的任务,那么修改对应的多个任务标记。Modify the tag of the task corresponding to the executed processing. If the router node executes one task, then modify the tag of the corresponding task. If the router node executes multiple tasks, then modify the tags of multiple corresponding tasks.

实施中,处理模块进一步用于在对含有网络编程技术编码的报文进行处理时,若报文中携带信息指示了相关的任务是进行分布式拒绝服务攻击分析时,包括:During implementation, the processing module is further used to process packets containing network programming technology codes, and if the packets carry information indicating that the relevant task is to conduct distributed denial-of-service attack analysis, including:

根据获取的一个或多个流量模型流量模型,对一种或多种网络流量进行分析,确定是否存在分布式拒绝服务攻击;Analyze one or more types of network traffic based on the acquired traffic model or traffic models to determine whether there is a distributed denial of service attack;

当存在分布式拒绝服务攻击时,根据所述路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理。When there is a distributed denial of service attack, denial of service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the router.

实施中,处理模块进一步用于在根据目标路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理时,包括:In implementation, the processing module is further used to perform denial-of-service attack processing on one or more types of abnormal traffic according to the predetermined policy of the target router, including:

对一种或多种异常流量进行随机丢包操作和或标记操作,Perform random packet loss and/or marking operations on one or more types of abnormal traffic,

如果执行标记操作,则数据报文中需要包含有可疑或异常标记,用于指示报文是否是可疑或异常报文。If the marking operation is performed, the data packet needs to contain a suspicious or abnormal tag to indicate whether the packet is a suspicious or abnormal packet.

实施中,处理模块进一步用于在进行随机丢包操作或标记操作时,包括:In implementation, the processing module is further used when performing random packet loss operations or marking operations, including:

如果判定流量没有异常,则修改指示希望进行异常检测任务对应的任务标识,指明报文的异常检测任务已完成。If it is determined that there is no abnormality in the traffic, the task identifier corresponding to the anomaly detection task is modified to indicate that the anomaly detection task of the packet has been completed.

实施中,处理模块进一步用于在确定是否存在分布式拒绝服务攻击时,是在监测到特定协议的网络流量大于流量模型中该协议的阈值流量时,确定存在分布式拒绝服务攻击。During implementation, the processing module is further used to determine whether a distributed denial-of-service attack exists when the network traffic of a specific protocol is detected to be greater than the threshold traffic of the protocol in the traffic model.

实施中,处理模块进一步用于在进行标记操作时,包括:In the implementation, the processing module is further used when performing marking operations, including:

如果判定有异常,则对相关的报文标记为可疑或异常。If it is determined that there is an abnormality, the relevant packets will be marked as suspicious or abnormal.

实施中,负载模块进一步用于在所述获取一个或多个路由器节点的流量模型时,包括:In implementation, the load module is further used to obtain the traffic model of one or more router nodes, including:

各路由器节点统计自身节点的流量模型,保存在各路由器上;Each router node counts the traffic model of its own node and saves it on each router;

各个路由器节点从其他位置获取供参考的流量模型,并且保存在路由器上。Each router node obtains the traffic model for reference from other locations and saves it on the router.

实施中,处理模块进一步用于对存储在IPv6报文的扩展头中的逐跳扩展头HBH中或SRv6扩展头中的所述的网络编程技术编码的任务标记进行处理。In implementation, the processing module is further configured to process the task tag encoded by the network programming technology stored in the hop-by-hop extension header HBH or the SRv6 extension header in the extension header of the IPv6 message.

一种路由器节点,包括:A router node consisting of:

处理器,用于读取存储器中的程序,执行下列过程:Processor, used to read the program in the memory and perform the following processes:

在作为网络的入口路由器节点时,按照网络编程技术编码的格式对报文进行标记插入,所述标记代表了对应的操作,所述的操作是对应了一个或者几个在网络中希望执行的任务;When serving as the entrance router node of the network, tags are inserted into the packets according to the format encoded by network programming technology. The tags represent corresponding operations, and the operations correspond to one or several tasks that are expected to be performed in the network. ;

收发机,用于在处理器的控制下接收和发送数据。Transceiver, used to receive and send data under the control of a processor.

实施中,在标记插入时,是在IPv6报文的逐跳扩展头HBH中或SRv6扩展头中进行插入的。In the implementation, when the mark is inserted, it is inserted into the hop-by-hop extension header HBH or the SRv6 extension header of the IPv6 message.

一种路由器节点,包括:A router node consisting of:

标记模块,用于在作为网络的入口路由器节点时,按照网络编程技术编码的格式对报文进行标记插入,所述标记代表了对应的操作,所述的操作是对应了一个或者几个在网络中希望执行的任务。The marking module is used to insert marks into messages according to the format encoded by network programming technology when serving as the entrance router node of the network. The marks represent corresponding operations, and the operations correspond to one or several operations on the network. the task you wish to perform.

实施中,标记模块进一步用于在标记插入时,是在IPv6报文的逐跳扩展头HBH中或SRv6扩展头中进行插入的。In the implementation, the marking module is further used to insert the mark into the hop-by-hop extension header HBH or the SRv6 extension header of the IPv6 message.

一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现上述网络编程技术处理方法。A computer-readable storage medium stores a computer program. When the computer program is executed by a processor, the above-mentioned network programming technology processing method is implemented.

本发明有益效果如下:The beneficial effects of the present invention are as follows:

本发明实施例提供的技术方案中,不需要指定相关的功能(Function)必须在哪个节点进行执行,而是根据目标路由器的算力情况以及报文头的任务执行情况,来决策是否执行相关的操作,例如是否执行对一种或多种异常流量进行拒绝服务攻击处理。由于不指定具体的执行位置,各个节点根据自身的算力情况决定是否执行相关的任务,可以充分利用网络中的算力能力,节点可以根据自身算力情况,决策是否进行相关的处理,从而提供了一种执行节点更加灵活,且支持执行节点之间相互协同的网络编程机制。In the technical solution provided by the embodiment of the present invention, there is no need to specify which node the relevant function (Function) must be executed on. Instead, it is decided whether to execute the relevant function based on the computing power of the target router and the task execution status of the message header. Actions, such as whether to perform denial-of-service attack processing on one or more types of abnormal traffic. Since the specific execution location is not specified, each node decides whether to perform related tasks based on its own computing power, which can make full use of the computing power in the network. The node can decide whether to perform related processing based on its own computing power, thereby providing It provides a network programming mechanism that makes execution nodes more flexible and supports mutual collaboration between execution nodes.

进一步的,这种机制支持提供了一种易于实现的在网安全(网络内生安全)机制,可以提供更好的DDoS防护能力。Furthermore, this mechanism supports an easy-to-implement online security (network intrinsic security) mechanism that can provide better DDoS protection capabilities.

附图说明Description of the drawings

此处所说明的附图用来提供对本发明的进一步理解,构成本发明的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described here are used to provide a further understanding of the present invention and constitute a part of the present invention. The illustrative embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute an improper limitation of the present invention. In the attached picture:

图1为本发明实施例中在网计算的网络架构示意图;Figure 1 is a schematic diagram of the network architecture of online computing in an embodiment of the present invention;

图2为本发明实施例中路由器节点上的网络编程技术处理方法实施流程示意图;Figure 2 is a schematic flow chart of the implementation of the network programming technology processing method on the router node in the embodiment of the present invention;

图3为本发明实施例中入口路由器节点上的网络编程技术处理方法实施流程示意图;Figure 3 is a schematic flow chart of the implementation of the network programming technology processing method on the entrance router node in the embodiment of the present invention;

图4为本发明实施例中报文流经路径示意图;Figure 4 is a schematic diagram of a message flow path in an embodiment of the present invention;

图5为本发明实施例中实施例1的在网计算的网络结构示意图;Figure 5 is a schematic diagram of the network structure of online computing in Embodiment 1 of the embodiment of the present invention;

图6为本发明实施例中实施例1的DDoS攻击的检测示意图;Figure 6 is a schematic diagram of DDoS attack detection in Embodiment 1 of the embodiment of the present invention;

图7为本发明实施例中实施例2的在网计算的网络结构及报文路径示意图;Figure 7 is a schematic diagram of the network structure and message path of online computing in Embodiment 2 of the present invention;

图8为本发明实施例中IPv6的报文的扩展头示意图;Figure 8 is a schematic diagram of an extension header of an IPv6 message in an embodiment of the present invention;

图9为本发明实施例中IPv6的HBH的扩展头结构示意图;Figure 9 is a schematic structural diagram of the extension header of IPv6 HBH in an embodiment of the present invention;

图10为本发明实施例中路由器节点结构示意图一;Figure 10 is a schematic diagram 1 of the router node structure in the embodiment of the present invention;

图11为本发明实施例中路由器节点结构示意图二。Figure 11 is a schematic diagram 2 of the router node structure in the embodiment of the present invention.

具体实施方式Detailed ways

发明人在发明过程中注意到:The inventor noticed during the invention process:

目前的SRv6网络编程,逻辑上比较固化,仅支持到达特定的节点,执行特定的操作。对于执行什么操作,有较强的灵活性,但是对于执行的节点,缺乏灵活指定的能力。The current SRv6 network programming is relatively rigid in logic and only supports reaching specific nodes and performing specific operations. It has strong flexibility in what operations to perform, but lacks the ability to flexibly specify the nodes to be executed.

以DDoS防范为例,DDoS(分布式拒绝服务攻击,Distributed Denial of Service)是指处于不同位置的多个攻击者同时向一个或数个目标发动攻击,或者一个攻击者控制了位于不同位置的多台机器并利用这些机器对受害者同时实施攻击。由于攻击的发出点是分布在不同地方的,这类攻击称为分布式拒绝服务攻击,其中的攻击者可以有多个。Take DDoS prevention as an example. DDoS (Distributed Denial of Service) refers to multiple attackers in different locations launching attacks against one or several targets at the same time, or an attacker controlling multiple targets located in different locations. machines and use these machines to attack the victim simultaneously. Since the origin of the attack is distributed in different places, this type of attack is called a distributed denial of service attack, and there can be multiple attackers.

分布式拒绝服务攻击原理:分布式拒绝服务攻击DDoS是一种基于DoS(拒绝服务攻击,Denial of Service)的特殊形式的拒绝服务攻击,是一种分布的、协同的大规模攻击方式。单一的DoS攻击一般是采用一对一方式的,它利用网络协议和操作系统的一些缺陷,采用欺骗和伪装的策略来进行网络攻击,使网站服务器充斥大量要求回复的信息,消耗网络带宽或系统资源,导致网络或系统不胜负荷以至于瘫痪而停止提供正常的网络服务。与DoS攻击由单台主机发起攻击相比较,分布式拒绝服务攻击DDoS是借助数百、甚至数千台被入侵后安装了攻击进程的主机同时发起的集团行为。Principle of distributed denial-of-service attack: Distributed denial-of-service attack DDoS is a special form of denial-of-service attack based on DoS (Denial of Service). It is a distributed and coordinated large-scale attack method. A single DoS attack generally adopts a one-to-one approach. It takes advantage of some defects in network protocols and operating systems, and uses deception and disguise strategies to carry out network attacks, flooding the website server with a large amount of information requiring replies, consuming network bandwidth or system resources, causing the network or system to be overwhelmed and paralyzed and stop providing normal network services. Compared with a DoS attack initiated by a single host, a distributed denial of service attack (DDoS) is a group behavior initiated simultaneously by hundreds or even thousands of hosts that have been invaded and installed with attack processes.

目前的DDoS攻击的防范,主要是在特定的网络节点,进行攻击流量的识别和处理。所述的特殊的节点也被称为IDS,是“Intrusion Detection Systems”的缩写,中文意思是“入侵检测系统”。但是这种集中处理的方式存在的问题是,攻击检测的位置通常较高,另外,集中节点的处理压力较大。目前,学术界和产业界也在探索基于在网计算的技术,来减轻IDS节点的计算压力。在网计算指的是,网络节点在转发报文的同时,支持一定的额外的报文处理,例如检测特定的流量是否是攻击流量。这种方式的潜在优势是低时延,高扩展性,反应更快,更接近源节点。在IETF(国际互联网工程任务组,Internet EngineeringTask Force)有一个研究组COIN RG专门探索怎么基于在网计算来实现用户的安全和隐私保护,主要的思路是基于P4的可编程机制。The current prevention of DDoS attacks mainly focuses on identifying and processing attack traffic at specific network nodes. The special node is also called IDS, which is the abbreviation of "Intrusion Detection Systems", which means "intrusion detection system" in Chinese. However, the problem with this centralized processing method is that the location of attack detection is usually high, and in addition, the processing pressure on the centralized nodes is high. Currently, academia and industry are also exploring technologies based on online computing to reduce the computing pressure on IDS nodes. On-network computing means that while forwarding packets, network nodes support certain additional packet processing, such as detecting whether specific traffic is attack traffic. The potential advantages of this approach are low latency, high scalability, faster response, and closer to the source node. There is a research group COIN RG in the IETF (Internet Engineering Task Force) that specifically explores how to achieve user security and privacy protection based on online computing. The main idea is based on the programmable mechanism of P4.

但是目前的在网计算实现中,缺乏各个节点之间的灵活的协同机制。如果采用各个节点都由一个控制器管理协调的模式,这时控制器对每个节点进行调节,来执行什么任务。那么可能的问题是反应比较慢,这主要是由于转发节点,例如Router上转发面的算力情况变化很快,受到流量的负载的影响,这时业务越多转发压力越大、业务处理越复杂转发压力越大。However, the current implementation of online computing lacks a flexible collaboration mechanism between various nodes. If a model is adopted in which each node is managed and coordinated by a controller, then the controller adjusts what tasks each node performs. Then the possible problem is that the response is relatively slow. This is mainly due to the rapid change of the computing power of the forwarding plane on the forwarding node, such as the Router, which is affected by the traffic load. At this time, the more business there is, the greater the forwarding pressure and the more complex the business processing will be. The greater the pressure to forward.

如果是采用前面提到的SRv6的网络编程,那么就是一种基于数据面的每报文的编程。此时,还是在路径的头结点,就决定了在哪个节点,执行什么任务,并不支持具体看转发节点的负载来判定是否执行相关的操作。If you use the SRv6 network programming mentioned earlier, it is a per-message programming based on the data plane. At this time, it is still at the head node of the path that determines which node and what task to perform. It does not support specifically looking at the load of the forwarding node to determine whether to perform related operations.

在报文转发的过程中,在网计算支持进行一定的处理能力的叠加,在攻击防范方面,这些能力的实现节点可以灵活分布。In the process of packet forwarding, network computing supports the superposition of certain processing capabilities. In terms of attack prevention, the nodes that implement these capabilities can be flexibly distributed.

图1为在网计算的网络架构示意图,如图所示,在网计算的场景中,计算除了发生在端侧,例如Client(客户端)/MEC(移动边缘计算,Mobile Edge Computing)/Cloud(云端)之外,也可能发生在可编程的Router1-5(路由器),Ingress1(入口路由器),Egress1-3(出口路由器)上。Figure 1 is a schematic diagram of the network architecture of online computing. As shown in the figure, in the online computing scenario, calculations occur not only on the terminal side, such as Client/MEC (Mobile Edge Computing)/Cloud ( In addition to the cloud), it may also occur on the programmable Router1-5 (router), Ingress1 (ingress router), and Egress1-3 (egress router).

传统网络中,路由器仅仅负责报文转发,不负责计算;在网络可编程技术如SRv6(基于IPv6的源路由技术,Segment Routing IPv6;IPv6:互联网协议第6版,InternetProtocol Version 6)中,网络支持到节点X,执行FunctionY(功能)。In traditional networks, routers are only responsible for packet forwarding and not calculations; in network programmable technologies such as SRv6 (IPv6-based source routing technology, Segment Routing IPv6; IPv6: Internet Protocol Version 6, Internet Protocol Version 6), the network supports Go to node X and execute FunctionY (function).

集中调度的在网计算/网络编程中,计算任务会分解到不同的节点,这种机制中Controller(控制器)感知算网信息,决策以及下策略。In network computing/network programming with centralized scheduling, computing tasks are decomposed into different nodes. In this mechanism, the Controller perceives computing network information, makes decisions, and makes strategies.

分布式的在网计算/网络编程中,分布式的Ingress作为路径的Headend(头端)可以做一些决策。In distributed network computing/network programming, the distributed Ingress serves as the Headend of the path and can make some decisions.

集中式调度的问题在于,Router上转发面的算力情况变化很快,受到流量的负载的影响(业务越多转发压力越大、业务处理越复杂转发压力越大),集中式调度可能反应比较慢。The problem with centralized scheduling is that the computing power on the forwarding plane on the Router changes rapidly and is affected by the traffic load (the more services, the greater the forwarding pressure, the more complex the business processing, the greater the forwarding pressure). Centralized scheduling may be more responsive. slow.

分布式调度的问题在于,虽然决策点分布了,但是执行上也是比较固定,并不会管Router上的算力情况如何,或是否在执行其他的任务。The problem with distributed scheduling is that although the decision points are distributed, the execution is relatively fixed, and it does not care about the computing power on the Router or whether it is executing other tasks.

也即,在现有技术中,计算发生的位置比较固定,不够灵活。That is to say, in the existing technology, the location where calculation occurs is relatively fixed and not flexible enough.

基于此,本发明实施例中提供了一种基于在网计算和网络可编程技术的处理方案,并将以分布式拒绝服务攻击的处理为例进行说明,下面结合附图对本发明的具体实施方式进行说明。Based on this, the embodiment of the present invention provides a processing solution based on online computing and network programmable technology, and will take the processing of a distributed denial of service attack as an example. The specific implementation of the present invention will be described below with reference to the accompanying drawings. Be explained.

图2为路由器节点上的网络编程技术处理方法实施流程示意图,如图所示,可以包括:Figure 2 is a schematic diagram of the implementation process of the network programming technology processing method on the router node. As shown in the figure, it can include:

步骤201、路由器节点收到含有网络编程技术编码的报文,所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行;Step 201. The router node receives a message containing a network programming technology code. The network programming technology code indicates that one or more corresponding tasks need to be executed;

步骤202、路由器节点确定所述报文入接口对应的处理芯片的负载状态;Step 202: The router node determines the load status of the processing chip corresponding to the message incoming interface;

步骤203、在负载大于预定值时,不对含有网络编程技术编码的报文进行处理,在负载小于预定值时,对含有网络编程技术编码的报文进行处理。Step 203: When the load is greater than the predetermined value, the packets containing the network programming technology code are not processed. When the load is less than the predetermined value, the packets containing the network programming technology code are processed.

实施中,所述路由器节点确定所述报文入接口对应的处理芯片的负载状态,可以是参考如下的一个或者多个参数来确定的:In implementation, the router node determines the load status of the processing chip corresponding to the packet incoming interface, which may be determined by referring to one or more of the following parameters:

所述报文入接口对应的处理芯片目前的利用率;The current utilization rate of the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文的数量;The number of packets currently being processed by the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文所在的流的速率和。The sum of the rates of the streams where the packets currently being processed by the processing chip corresponding to the packet incoming interface are.

实施中,对含有网络编程技术编码的报文进行处理,包括:During implementation, messages containing network programming technology codes are processed, including:

执行的处理对应了所述的需要被执行的一个或多个任务,一个或多个任务在数据报文中有对应的任务标记;The executed processing corresponds to one or more tasks that need to be executed, and one or more tasks have corresponding task tags in the data message;

修改执行的处理对应的任务的标记,如果路由器节点执行一个任务,那么修改对应的一个任务的标记,如果路由器节点执行了多个的任务,那么修改对应的多个任务标记。Modify the tag of the task corresponding to the executed processing. If the router node executes one task, then modify the tag of the corresponding task. If the router node executes multiple tasks, then modify the tags of multiple corresponding tasks.

实施中,对含有网络编程技术编码的报文进行处理时,若报文中携带信息指示了相关的任务是进行分布式拒绝服务攻击分析,进一步包括:During implementation, when processing packets containing network programming technology coding, if the packet carries information indicating that the relevant task is to conduct distributed denial-of-service attack analysis, it further includes:

根据获取的一个或多个流量模型流量模型,对一种或多种网络流量进行分析,确定是否存在分布式拒绝服务攻击;Analyze one or more types of network traffic based on the acquired traffic model or traffic models to determine whether there is a distributed denial of service attack;

当存在分布式拒绝服务攻击时,根据所述路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理,例如进行丢包处理。When there is a distributed denial of service attack, denial of service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the router, such as packet loss processing.

具体实施中,根据目标路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理,包括:In specific implementation, denial of service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the target router, including:

对一种或多种异常流量进行随机丢包操作和或标记操作,Perform random packet loss and/or marking operations on one or more types of abnormal traffic,

如果执行标记操作,则数据报文中需要包含有可疑或异常标记,用于指示报文是否是可疑或异常报文。If the marking operation is performed, the data packet needs to contain a suspicious or abnormal tag to indicate whether the packet is a suspicious or abnormal packet.

具体实施中,所述获取一个或多个路由器节点的流量模型,包括:In specific implementation, obtaining the traffic model of one or more router nodes includes:

各路由器节点统计自身节点的流量模型,保存在各路由器上;Each router node counts the traffic model of its own node and saves it on each router;

各个路由器节点从其他位置,例如一个集中的控制或者管理节点,得到供参考的流量模型,并且保存在路由器上。Each router node obtains a traffic model for reference from another location, such as a centralized control or management node, and stores it on the router.

实施中,确定是否存在分布式拒绝服务攻击,例如可以是在监测到特定协议的网络流量大于流量模型中该协议的阈值流量时,确定存在分布式拒绝服务攻击。During implementation, determine whether a distributed denial of service attack exists. For example, when the network traffic of a specific protocol is detected to be greater than the threshold traffic of the protocol in the traffic model, it may be determined that a distributed denial of service attack exists.

实施中,拒绝服务攻击处理,包括:对一种或多种异常流量进行随机丢包操作或标记操作。During implementation, denial of service attack processing includes: random packet dropping or marking operations for one or more types of abnormal traffic.

具体的,获取一个或多个路由器节点的流量模型;根据一种或多种流量模型对一种或多种网络流量进行分析,若所述网络流量大于阈值流量,则确定存在分布式拒绝服务攻击;当存在分布式拒绝服务攻击时,根据目标路由器的预定策略对一种或多种异常流量进行随机丢包操作或标记操作。Specifically, the traffic model of one or more router nodes is obtained; one or more network traffics are analyzed according to one or more traffic models. If the network traffic is greater than the threshold traffic, it is determined that a distributed denial of service attack exists. ; When there is a distributed denial of service attack, one or more types of abnormal traffic are randomly dropped or marked according to the predetermined policy of the target router.

实施中,在确定结果为不存在分布式拒绝服务攻击时,进一步包括:During implementation, when it is determined that there is no distributed denial of service attack, it further includes:

如果判定流量没有异常,则修改指示希望进行异常检测任务对应的任务标识,指明报文的异常检测任务已完成。If it is determined that there is no abnormality in the traffic, the task identifier corresponding to the anomaly detection task is modified to indicate that the anomaly detection task of the packet has been completed.

实施中,在进行标记操作时,进一步包括:In implementation, when performing marking operations, it further includes:

如果判定有异常,则对相关的报文标记为可疑或异常。If it is determined that there is an abnormality, the relevant packets will be marked as suspicious or abnormal.

图3为入口路由器节点上的网络编程技术处理方法实施流程示意图,如图所示,可以包括:Figure 3 is a schematic diagram of the implementation process of the network programming technology processing method on the ingress router node. As shown in the figure, it can include:

步骤301、在网络的入口路由器节点,按照网络编程技术编码的格式对报文进行标记插入,所述标记代表了对应的操作,所述的操作是对应了一个或者几个在网络中希望执行的任务。Step 301: At the entrance router node of the network, tags are inserted into the packets according to the format encoded by network programming technology. The tags represent corresponding operations, and the operations correspond to one or several operations that are expected to be performed in the network. Task.

实施中,在标记插入时,是在IPv6报文的HBH(逐跳扩展头,Hop-by-hop Option)中或SRv6扩展头中进行插入的。In the implementation, when the mark is inserted, it is inserted into the HBH (Hop-by-hop Option) of the IPv6 message or the SRv6 extension header.

下面以实例进行说明。The following is an example.

目前的网络编程/在网计算的典型的技术如SRv6(即到节点x1,执行F1);在本发明实施例提供的分布式执行的在网计算机制中,不强制指定计算执行的位置(允许到x1/2/3/...节点,执行F1),同理,F1未执行也可以。Typical technologies for current network programming/on-network computing include SRv6 (that is, go to node Go to the x1/2/3/... node and execute F1). Similarly, it is okay if F1 is not executed.

图4为报文流经路径示意图,如图所示,假设总的任务情况是两个,路径上的节点根据自身的情况,选择性的进行处理,到Egress3都完成了。Figure 4 is a schematic diagram of the packet flow path. As shown in the figure, assuming that the total task situation is two, the nodes on the path selectively process according to their own conditions, and all are completed by Egress3.

在网络中动态协同:各个Router根据自身的情况,判定是否执行DDoS的攻击检测;Dynamic collaboration in the network: Each Router determines whether to perform DDoS attack detection based on its own situation;

在数据面进行协同:所有的报文或者相关的报文在入口路由器节点进行标记插入,可选的,在中间路由器节点进行处理和标记修改,处理了的就不再重复做,可选的,IDS完成未处理的工作。Collaboration on the data plane: All messages or related messages are marked and inserted at the ingress router node. Optionally, processing and mark modification are performed at the intermediate router node. Once processed, the process will not be repeated. Optionally, IDS completes outstanding work.

实施例1:Example 1:

本例中,是在某个路由器上做DDoS的检测。In this example, DDoS detection is performed on a certain router.

图5为实施例1的在网计算的网络结构示意图,如图所示,在该网络中:Figure 5 is a schematic diagram of the network structure of online computing in Embodiment 1. As shown in the figure, in this network:

假设:Router1-5、Ingress1、Egress1-3,这些节点上部署了在网计算的能力,支持在负载较轻时进行DDoS攻击的检测。Assumption: Router1-5, Ingress1, and Egress1-3 have online computing capabilities deployed on these nodes to support DDoS attack detection when the load is light.

一种检测的方式例如,基于AI(人工智能,Artificial Intelligence)的机制,统计自身节点的流量模型,之后,如果需要做DDoS攻击的检测,则对流量进行分析,如果偏差较大,例如达到阈值,则认为可能存在DDoS攻击,并且进行随机丢包/标记。One detection method is, for example, based on the mechanism of AI (Artificial Intelligence), which counts the traffic model of its own nodes. Then, if it is necessary to detect DDoS attacks, the traffic is analyzed. If the deviation is large, for example, it reaches a threshold. , it is considered that there may be a DDoS attack, and random packet loss/marking is performed.

图6为实施例1的DDoS攻击的检测示意图,如图所示,通过Pa(基于历史数据的流量模型)与P2(目前监测到的流量模型)检测SSDP(简单服务发现协议,Simple ServiceDiscovery Protocol)、ICMP(内部控制信息协议,Internal Control Message Protocol)、DNS(域名系统,Domain Name System)、SNMP(简单网络管理协议,Simple NetworkManagement Protocol)、NTP(网络时间协议,Network Time Protocol)到来的流量变化,可以判断是否存在DDoS攻击。Figure 6 is a schematic diagram of DDoS attack detection in Embodiment 1. As shown in the figure, SSDP (Simple Service Discovery Protocol) is detected through Pa (traffic model based on historical data) and P2 (currently monitored traffic model). , ICMP (Internal Control Message Protocol), DNS (Domain Name System), SNMP (Simple Network Management Protocol), NTP (Network Time Protocol) incoming traffic changes , you can determine whether there is a DDoS attack.

在实施随机丢包处理时,可以如下:When implementing random packet loss processing, you can do the following:

(1):Ingress节点对于需要进行分析的流量进行标记,例如在包头中插入01000000,代表需要进行DDoS的过滤,但是并不指定具体的执行节点。(1): The Ingress node marks the traffic that needs to be analyzed. For example, inserting 01000000 into the packet header means that DDoS filtering is required, but the specific execution node is not specified.

(2):收到报文的节点,例如Router1,此时负载较轻,则进行DDoS过滤,具体行为为对报文进行分析,看流量特征是否有异常;(2): The node that receives the message, such as Router1, has a light load at this time, and performs DDoS filtering. The specific behavior is to analyze the message to see if there are any abnormalities in the traffic characteristics;

如果判定有异常,则对相关的报文进行随机丢包;If it is determined that there is an abnormality, relevant packets will be randomly dropped;

如果判定没有异常,则清除标识位为00000000。If it is determined that there is no exception, the clear flag is 00000000.

(3):可选的,如果某个报文在Ingress标记了,但是在Ingress以及Router1-5都没有做处理(即检测DDoS攻击以及清除标记),那么Egress1/2/3对没有处理的报文进行检测。(3): Optional, if a packet is marked on the Ingress, but is not processed on the Ingress or Router1-5 (that is, detecting DDoS attacks and clearing the mark), then Egress1/2/3 will not process the unprocessed packet. text for testing.

在实施标记处理时,可以如下:When implementing tag processing, you can do the following:

(1):Ingress节点对于需要进行分析的流量进行标记,例如在包头中插入01000000,代表需要进行DDoS的过滤,但是并不指定具体的执行节点,同时第一个标志位标识流量是否可疑。(1): The Ingress node marks the traffic that needs to be analyzed. For example, inserting 01000000 in the packet header means that DDoS filtering is required, but the specific execution node is not specified. At the same time, the first flag bit identifies whether the traffic is suspicious.

(2):收到报文的节点,例如Router1,此时负载较轻,则进行DDoS过滤,具体行为为对报文进行分析,看流量特征是否有异常;(2): The node that receives the message, such as Router1, has a light load at this time, and performs DDoS filtering. The specific behavior is to analyze the message to see if there are any abnormalities in the traffic characteristics;

如果判定有异常,则对相关的报文进行标记,改为11000000;If it is determined that there is an abnormality, the relevant message will be marked and changed to 11000000;

如果判定没有异常,则清除标识位为00000000。If it is determined that there is no exception, the clear flag is 00000000.

(3):可选的,Egress1/2/3对没有处理的报文进行检测,以及对首位标记为1的报文进行检测。(3): Optional, Egress1/2/3 detects unprocessed packets and detects packets whose first flag is 1.

实施例2:Example 2:

本例中,在多个路由器上协同做DDoS的检测。In this example, DDoS detection is performed collaboratively on multiple routers.

图7为实施例2的在网计算的网络结构及报文路径示意图,如图所示,在该网络中:Figure 7 is a schematic diagram of the network structure and message path of online computing in Embodiment 2. As shown in the figure, in this network:

假设:Router1-5、Ingress1、Egress1-3,这些节点上部署了在网计算的能力,支持在负载较轻时进行DDoS攻击的检测。Assumption: Router1-5, Ingress1, and Egress1-3 have online computing capabilities deployed on these nodes to support DDoS attack detection when the load is light.

例如,基于AI的机制,统计自身节点的流量模型,之后,如果需要做DDoS攻击的检测,则对流量进行分析,如果偏差较大,例如达到阈值,则认为可能存在DDoS攻击,并且进行随机丢包/标记操作。For example, the AI-based mechanism counts the traffic model of its own node. Then, if it is necessary to detect DDoS attacks, the traffic will be analyzed. If the deviation is large, such as reaching a threshold, it is considered that there may be a DDoS attack, and a random drop will be performed. Package/Tag operations.

在实施随机丢包时,可以如下:When implementing random packet loss, you can do the following:

(1):Ingress节点对于需要进行分析的流量进行标记,例如在包头中插入00101000,代表需要进行DDoS的过滤,但是并不指定具体的执行节点,任务为2个,例如一个要求检测DNS流量,一个要求检测ICMP流量,也即,实施中,流量是否异常是通过检测DNS流量和/或检测ICMP流量来确定的。(1): The Ingress node marks the traffic that needs to be analyzed. For example, inserting 00101000 in the packet header means that DDoS filtering is required, but it does not specify a specific execution node. There are two tasks. For example, one requires detecting DNS traffic. One requirement is to detect ICMP traffic, that is, in the implementation, whether the traffic is abnormal is determined by detecting DNS traffic and/or detecting ICMP traffic.

(2):收到报文的节点,例如Router1/3,此时负载较轻,则进行DDoS过滤,具体行为为对报文进行分析,看流量特征是否有异常;(2): The node that receives the message, such as Router1/3, has a light load at this time, and performs DDoS filtering. The specific behavior is to analyze the message to see if there are any abnormalities in the traffic characteristics;

如果判定有异常,则对相关的报文进行随机丢包;If it is determined that there is an abnormality, relevant packets will be randomly dropped;

如果判定没有异常,则清除对应的任务的标识位。If it is determined that there is no exception, the flag bit of the corresponding task is cleared.

(3):可选的,Egress1/2/3对没有处理的报文进行检测。(3): Optional, Egress1/2/3 detects unprocessed packets.

在实施标记时,可以如下:When implementing markup, you can do the following:

(1):Ingress节点对于需要进行分析的流量进行标记,例如在包头中插入00101000,代表需要进行DDoS的过滤,但是并不指定具体的执行节点,同时第一个标志位标识流量是否可疑。(1): The Ingress node marks the traffic that needs to be analyzed. For example, inserting 00101000 in the packet header means that DDoS filtering is required, but the specific execution node is not specified. At the same time, the first flag bit identifies whether the traffic is suspicious.

(2):收到报文的节点,例如Router1,此时负载较轻,则进行DDoS过滤,具体行为为对报文进行分析,看流量特征是否有异常;(2): The node that receives the message, such as Router1, has a light load at this time, and performs DDoS filtering. The specific behavior is to analyze the message to see if there are any abnormalities in the traffic characteristics;

如果判定有异常,则对相关的报文进行标记,改为10001000;If it is determined that there is an abnormality, the relevant message will be marked and changed to 10001000;

如果判定没有异常,则清除标识位为00001000。If it is determined that there is no exception, the clear flag is 00001000.

(3):可选的,Egress1/2/3对没有处理的报文进行检测,以及对首位标记为1的报文进行检测。(3): Optional, Egress1/2/3 detects unprocessed packets and detects packets whose first flag is 1.

实施中,在标记操作时,是在IPv6头的扩展头或SRv6的扩展头中进行标记的。In the implementation, during the marking operation, the mark is performed in the extension header of the IPv6 header or the extension header of SRv6.

实施中,也不排斥类似于传统的网络编程的使用,即可以在报文中指定在特定的位置,做特定的功能,还可以在报文中指定在路径上任意的节点执行另一个特定的功能,它们的功能在报文中存放的位置不同。图8为IPv6的报文的扩展头示意图,IPv6的报文的扩展头如图所示,扩展头是可选携带的标识的,例如hop-by-hop(逐跳)选项头、目的地选项头、路由选项头。In the implementation, it does not exclude the use of traditional network programming, that is, you can specify a specific location in the message to perform a specific function, and you can also specify in the message to perform another specific function at any node on the path. Functions, their functions are stored in different locations in the message. Figure 8 is a schematic diagram of the extension header of an IPv6 packet. The extension header of an IPv6 packet is as shown in the figure. The extension header is an optional identifier, such as a hop-by-hop option header and a destination option. header, routing option header.

在SRv6中,可以携带SRH(段路由头,Segment Routing Header)的头,其中包括了SRH的SID list(SID列表;SID:段标识符,Segment IDentifier)(多个128bits的地址列表)。In SRv6, the SRH (Segment Routing Header) header can be carried, which includes the SRH SID list (SID list; SID: Segment IDentifier) (multiple 128-bit address lists).

实施中,所述的网络编程技术编码,即任务标记,存储在IPv6报文的扩展头中,具体位置是在IPv6的逐跳扩展头(HBH,Hop-by-hop Option)中或SRv6扩展头中。In implementation, the network programming technology code, that is, the task mark, is stored in the extension header of the IPv6 message. The specific location is in the IPv6 hop-by-hop extension header (HBH, Hop-by-hop Option) or the SRv6 extension header. middle.

在路径上任意的节点执行功能的机制中,可以使用HBH(逐跳,Hop By Hop)头,而不是SRH头。因为在处理逻辑上,HBH头的处理逻辑,是每跳都会看一下这个option(选项),SRH头的处理逻辑是DA(目的地址)匹配之后,才会去看SRH头。In the mechanism for performing functions at any node on the path, the HBH (Hop By Hop) header can be used instead of the SRH header. Because in terms of processing logic, the processing logic of the HBH header is to look at this option (option) at every hop, and the processing logic of the SRH header is to look at the SRH header only after the DA (destination address) matches.

具体实施中,在标记操作时,是在IPv6的HBH的扩展头中进行标记的。In a specific implementation, during the marking operation, the marking is performed in the extension header of the IPv6 HBH.

图9为IPv6的HBH的扩展头结构示意图,如图所示,在每个报文中加入检测需求的信息,比较适合的位置是在IPv6的HBH的扩展头中,具体的,可以是8bits,也可以是更长,例如32bits。Figure 9 is a schematic diagram of the extension header structure of IPv6 HBH. As shown in the figure, the most suitable location to add detection requirement information to each packet is in the extension header of IPv6 HBH. Specifically, it can be 8 bits. It can also be longer, such as 32bits.

相关的封装,可以是在Ingress加入,可选的是在Egress删除掉。Relevant encapsulation can be added at Ingress, or optionally deleted at Egress.

具体的每个bit的含义,可以自定义,例如:The specific meaning of each bit can be customized, for example:

某个bit代表,流量是否可疑;A certain bit represents whether the traffic is suspicious;

某个bit代表,有某个任务需要执行,例如希望Router进行某类流量的过滤;A certain bit represents that there is a certain task that needs to be performed, for example, you want the Router to filter certain types of traffic;

某个bit代表,希望Router能使用某个特定的流量模型,对流量进行过滤。A certain bit represents the hope that the Router can use a specific traffic model to filter traffic.

例如向IANA(因特网分址机构,Internet Assigned Number Authority)申请option未占用的option_type 0x0D(选项类型0x0D),同时这个option支持携带TLV(类型、长度、值,Tag、Length、Value),TLV用于每个节点进行处理,在TLV的value的部分的值可以被读取和修改。For example, apply to IANA (Internet Assigned Number Authority) for the unoccupied option_type 0x0D (option type 0x0D). At the same time, this option supports carrying TLV (type, length, value, Tag, Length, Value). TLV is used for For each node to process, the value in the value portion of the TLV can be read and modified.

基于同一发明构思,本发明实施例中还提供了一种路由器节点、及计算机可读存储介质,由于这些设备解决问题的原理与网络编程技术处理方法相似,因此这些设备的实施可以参见方法的实施,重复之处不再赘述。Based on the same inventive concept, embodiments of the present invention also provide a router node and a computer-readable storage medium. Since the principles of problem solving by these devices are similar to the network programming technology processing methods, the implementation of these devices can be referred to the implementation of the method. , the repetitive parts will not be repeated.

在实施本发明实施例提供的技术方案时,可以按如下方式实施。When implementing the technical solution provided by the embodiment of the present invention, it can be implemented in the following manner.

图10为路由器节点结构示意图一,如图所示,路由器节点中包括:Figure 10 is a schematic diagram of the router node structure. As shown in the figure, the router nodes include:

处理器1000,用于读取存储器1020中的程序,执行下列过程:The processor 1000 is used to read the program in the memory 1020 and perform the following processes:

收到含有网络编程技术编码的报文,所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行;Receive a message containing a network programming technology code, which indicates that one or more corresponding tasks need to be executed;

确定所述报文入接口对应的处理芯片的负载状态;Determine the load status of the processing chip corresponding to the message incoming interface;

在负载大于预定值时,不对含有网络编程技术编码的报文进行处理,在负载小于预定值时,对含有网络编程技术编码的报文进行处理;When the load is greater than the predetermined value, the packets containing the network programming technology code will not be processed; when the load is less than the predetermined value, the packets containing the network programming technology code will be processed;

收发机1010,用于在处理器1000的控制下接收和发送数据。Transceiver 1010 for receiving and transmitting data under the control of processor 1000.

实施中,确定所述报文入接口对应的处理芯片的负载状态,是参考如下的一个或者多个参数确定的:In implementation, the load status of the processing chip corresponding to the packet incoming interface is determined with reference to one or more of the following parameters:

所述报文入接口对应的处理芯片目前的利用率;The current utilization rate of the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文的数量;The number of packets currently being processed by the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文所在的流的速率和。The sum of the rates of the streams where the packets currently being processed by the processing chip corresponding to the packet incoming interface are.

实施中,对含有网络编程技术编码的报文进行处理,包括:During implementation, messages containing network programming technology codes are processed, including:

执行的处理对应了所述的需要被执行的一个或多个任务,一个或多个任务在数据报文中有对应的任务标记;The executed processing corresponds to one or more tasks that need to be executed, and one or more tasks have corresponding task tags in the data message;

修改执行的处理对应的任务的标记,如果路由器节点执行一个任务,那么修改对应的一个任务的标记,如果路由器节点执行了多个的任务,那么修改对应的多个任务标记。Modify the tag of the task corresponding to the executed processing. If the router node executes one task, then modify the tag of the corresponding task. If the router node executes multiple tasks, then modify the tags of multiple corresponding tasks.

实施中,对含有网络编程技术编码的报文进行处理时,若报文中携带信息指示了相关的任务是进行分布式拒绝服务攻击分析,进一步包括:During implementation, when processing packets containing network programming technology coding, if the packet carries information indicating that the relevant task is to conduct distributed denial-of-service attack analysis, it further includes:

根据获取的一个或多个流量模型流量模型,对一种或多种网络流量进行分析,确定是否存在分布式拒绝服务攻击;Analyze one or more types of network traffic based on the acquired traffic model or traffic models to determine whether there is a distributed denial of service attack;

当存在分布式拒绝服务攻击时,根据所述路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理。When there is a distributed denial of service attack, denial of service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the router.

实施中,根据目标路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理,包括:During implementation, denial-of-service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the target router, including:

对一种或多种异常流量进行随机丢包操作和或标记操作,Perform random packet loss and/or marking operations on one or more types of abnormal traffic,

如果执行标记操作,则数据报文中需要包含有可疑或异常标记,用于指示报文是否是可疑或异常报文。If the marking operation is performed, the data packet needs to contain a suspicious or abnormal tag to indicate whether the packet is a suspicious or abnormal packet.

实施中,在进行随机丢包操作或标记操作时,进一步包括:In the implementation, when performing random packet loss operation or marking operation, it further includes:

如果判定流量没有异常,则修改指示希望进行异常检测任务对应的任务标识,指明报文的异常检测任务已完成。If it is determined that there is no abnormality in the traffic, modify the task identifier corresponding to the anomaly detection task that indicates that the anomaly detection task is to be performed, indicating that the anomaly detection task of the packet has been completed.

实施中,确定是否存在分布式拒绝服务攻击,是在监测到特定协议的网络流量大于流量模型中该协议的阈值流量时,确定存在分布式拒绝服务攻击。In implementation, determining whether a distributed denial-of-service attack exists is when the network traffic of a specific protocol is detected to be greater than the threshold traffic of the protocol in the traffic model.

实施中,在进行标记操作时,进一步包括:In implementation, when performing marking operations, it further includes:

如果判定有异常,则对相关的报文标记为可疑或异常。If it is determined that there is an abnormality, the relevant packets will be marked as suspicious or abnormal.

实施中,所述获取一个或多个路由器节点的流量模型,包括:In implementation, obtaining the traffic model of one or more router nodes includes:

各路由器节点统计自身节点的流量模型,保存在各路由器上;Each router node counts the traffic model of its own node and saves it on each router;

各个路由器节点从其他位置获取供参考的流量模型,并且保存在路由器上。Each router node obtains the traffic model for reference from other locations and saves it on the router.

实施中,所述的网络编程技术编码的任务标记,存储在IPv6报文的扩展头中的逐跳扩展头HBH中或SRv6扩展头中。In implementation, the task mark encoded by the network programming technology is stored in the hop-by-hop extension header HBH or the SRv6 extension header in the extension header of the IPv6 message.

其中,在图10中,总线架构可以包括任意数量的互联的总线和桥,具体由处理器1000代表的一个或多个处理器和存储器1020代表的存储器的各种电路链接在一起。总线架构还可以将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路链接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口提供接口。收发机1010可以是多个元件,即包括发送机和接收机,提供用于在传输介质上与各种其他装置通信的单元。处理器1000负责管理总线架构和通常的处理,存储器1020可以存储处理器1000在执行操作时所使用的数据。In FIG. 10 , the bus architecture may include any number of interconnected buses and bridges, specifically one or more processors represented by processor 1000 and various circuits of the memory represented by memory 1020 are linked together. The bus architecture can also link together various other circuits such as peripherals, voltage regulators, and power management circuits, which are all well known in the art and therefore will not be described further herein. The bus interface provides the interface. The transceiver 1010 may be a plurality of elements, including a transmitter and a receiver, providing a unit for communicating with various other devices over a transmission medium. The processor 1000 is responsible for managing the bus architecture and general processing, and the memory 1020 can store data used by the processor 1000 when performing operations.

本发明实施例中还提供了一种路由器节点,包括:An embodiment of the present invention also provides a router node, which includes:

接收模块,用于收到含有网络编程技术编码的报文,所述的网络编程技术编码指示了有一个或多个对应的任务需要被执行;A receiving module, configured to receive a message containing a network programming technology code, which indicates that one or more corresponding tasks need to be executed;

负载模块,用于确定所述报文入接口对应的处理芯片的负载状态;A load module, used to determine the load status of the processing chip corresponding to the message incoming interface;

处理模块,用于在负载大于预定值时,不对含有网络编程技术编码的报文进行处理,在负载小于预定值时,对含有网络编程技术编码的报文进行处理。The processing module is used to not process the packets containing the network programming technology code when the load is greater than a predetermined value, and to process the packets containing the network programming technology code when the load is less than the predetermined value.

实施中,负载模块进一步用于确定所述报文入接口对应的处理芯片的负载状态,是参考如下的一个或者多个参数确定的:In implementation, the load module is further used to determine the load status of the processing chip corresponding to the message incoming interface, which is determined with reference to one or more of the following parameters:

所述报文入接口对应的处理芯片目前的利用率;The current utilization rate of the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文的数量;The number of packets currently being processed by the processing chip corresponding to the packet incoming interface;

所述报文入接口对应的处理芯片目前正在处理的报文所在的流的速率和。The sum of the rates of the streams where the packets currently being processed by the processing chip corresponding to the packet incoming interface are.

实施中,处理模块进一步用于对含有网络编程技术编码的报文进行处理时,包括:During implementation, the processing module is further used to process messages containing network programming technology codes, including:

执行的处理对应了所述的需要被执行的一个或多个任务,一个或多个任务在数据报文中有对应的任务标记;The executed processing corresponds to one or more tasks that need to be executed, and one or more tasks have corresponding task tags in the data message;

修改执行的处理对应的任务的标记,如果路由器节点执行一个任务,那么修改对应的一个任务的标记,如果路由器节点执行了多个的任务,那么修改对应的多个任务标记。Modify the tag of the task corresponding to the executed processing. If the router node executes one task, then modify the tag of the corresponding task. If the router node executes multiple tasks, then modify the tags of multiple corresponding tasks.

实施中,处理模块进一步用于在对含有网络编程技术编码的报文进行处理时,若报文中携带信息指示了相关的任务是进行分布式拒绝服务攻击分析时,包括:During implementation, the processing module is further used to process packets containing network programming technology codes, and if the packets carry information indicating that the relevant task is to conduct distributed denial-of-service attack analysis, including:

根据获取的一个或多个流量模型流量模型,对一种或多种网络流量进行分析,确定是否存在分布式拒绝服务攻击;Analyze one or more types of network traffic based on the acquired traffic model or traffic models to determine whether there is a distributed denial of service attack;

当存在分布式拒绝服务攻击时,根据所述路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理。When there is a distributed denial of service attack, denial of service attack processing is performed on one or more types of abnormal traffic according to the predetermined policy of the router.

实施中,处理模块进一步用于在根据目标路由器的预定策略对一种或多种异常流量进行拒绝服务攻击处理时,包括:In implementation, the processing module is further used to perform denial-of-service attack processing on one or more types of abnormal traffic according to the predetermined policy of the target router, including:

对一种或多种异常流量进行随机丢包操作和或标记操作,Perform random packet loss and/or marking operations on one or more types of abnormal traffic,

如果执行标记操作,则数据报文中需要包含有可疑或异常标记,用于指示报文是否是可疑或异常报文。If the marking operation is performed, the data packet needs to contain a suspicious or abnormal tag to indicate whether the packet is a suspicious or abnormal packet.

实施中,处理模块进一步用于在进行随机丢包操作或标记操作时,包括:In implementation, the processing module is further used when performing random packet loss operations or marking operations, including:

如果判定流量没有异常,则修改指示希望进行异常检测任务对应的任务标识,指明报文的异常检测任务已完成。If it is determined that there is no abnormality in the traffic, the task identifier corresponding to the anomaly detection task is modified to indicate that the anomaly detection task of the packet has been completed.

实施中,处理模块进一步用于在确定是否存在分布式拒绝服务攻击时,是在监测到特定协议的网络流量大于流量模型中该协议的阈值流量时,确定存在分布式拒绝服务攻击。During implementation, the processing module is further used to determine whether a distributed denial-of-service attack exists when the network traffic of a specific protocol is detected to be greater than the threshold traffic of the protocol in the traffic model.

实施中,处理模块进一步用于在进行标记操作时,包括:In the implementation, the processing module is further used when performing marking operations, including:

如果判定有异常,则对相关的报文标记为可疑或异常。If it is determined that there is an abnormality, the relevant packets will be marked as suspicious or abnormal.

实施中,负载模块进一步用于在所述获取一个或多个路由器节点的流量模型时,包括:In implementation, the load module is further used to obtain the traffic model of one or more router nodes, including:

各路由器节点统计自身节点的流量模型,保存在各路由器上;Each router node counts the traffic model of its own node and saves it on each router;

各个路由器节点从其他位置获取供参考的流量模型,并且保存在路由器上。Each router node obtains the traffic model for reference from other locations and saves it on the router.

实施中,处理模块进一步用于对存储在IPv6报文的扩展头中的逐跳扩展头HBH中或SRv6扩展头中的所述的网络编程技术编码的任务标记进行处理。In implementation, the processing module is further configured to process the task tag encoded by the network programming technology stored in the hop-by-hop extension header HBH or the SRv6 extension header in the extension header of the IPv6 message.

为了描述的方便,以上所述装置的各部分以功能分为各种模块或单元分别描述。当然,在实施本发明时可以把各模块或单元的功能在同一个或多个软件或硬件中实现。For the convenience of description, each part of the above-described device is divided into various modules or units by function and described separately. Of course, when implementing the present invention, the functions of each module or unit can be implemented in the same or multiple software or hardware.

图11为路由器节点结构示意图二,如图所示,路由器节点中包括:Figure 11 is a schematic diagram 2 of the router node structure. As shown in the figure, the router nodes include:

处理器1100,用于读取存储器1120中的程序,执行下列过程:The processor 1100 is used to read the program in the memory 1120 and perform the following processes:

在作为网络的入口路由器节点时,按照网络编程技术编码的格式对报文进行标记插入,所述标记代表了对应的操作,所述的操作是对应了一个或者几个在网络中希望执行的任务;When serving as the entrance router node of the network, tags are inserted into the packets according to the format encoded by network programming technology. The tags represent corresponding operations, and the operations correspond to one or several tasks that are expected to be performed in the network. ;

收发机1110,用于在处理器1100的控制下接收和发送数据。Transceiver 1110 for receiving and transmitting data under the control of processor 1100.

实施中,在标记插入时,是在IPv6报文的逐跳扩展头HBH中或SRv6扩展头中进行插入的。In the implementation, when the mark is inserted, it is inserted into the hop-by-hop extension header HBH or the SRv6 extension header of the IPv6 message.

其中,在图11中,总线架构可以包括任意数量的互联的总线和桥,具体由处理器1100代表的一个或多个处理器和存储器1120代表的存储器的各种电路链接在一起。总线架构还可以将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路链接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口提供接口。收发机1110可以是多个元件,即包括发送机和接收机,提供用于在传输介质上与各种其他装置通信的单元。处理器1100负责管理总线架构和通常的处理,存储器1120可以存储处理器1100在执行操作时所使用的数据。In FIG. 11 , the bus architecture may include any number of interconnected buses and bridges, specifically one or more processors represented by processor 1100 and various circuits of the memory represented by memory 1120 are linked together. The bus architecture can also link together various other circuits such as peripherals, voltage regulators, and power management circuits, which are all well known in the art and therefore will not be described further herein. The bus interface provides the interface. The transceiver 1110 may be a plurality of elements, including a transmitter and a receiver, providing a unit for communicating with various other devices over a transmission medium. The processor 1100 is responsible for managing the bus architecture and general processing, and the memory 1120 can store data used by the processor 1100 when performing operations.

本发明实施例中还提供了一种路由器节点,包括:An embodiment of the present invention also provides a router node, which includes:

标记模块,用于在作为网络的入口路由器节点时,按照网络编程技术编码的格式对报文进行标记插入,所述标记代表了对应的操作,所述的操作是对应了一个或者几个在网络中希望执行的任务。The marking module is used to insert marks into messages according to the format encoded by network programming technology when serving as the entrance router node of the network. The marks represent corresponding operations, and the operations correspond to one or several operations on the network. the task you wish to perform.

实施中,标记模块进一步用于在标记插入时,是在IPv6报文的逐跳扩展头HBH中或SRv6扩展头中进行插入的。In the implementation, the marking module is further used to insert the mark into the hop-by-hop extension header HBH or the SRv6 extension header of the IPv6 message.

为了描述的方便,以上所述装置的各部分以功能分为各种模块或单元分别描述。当然,在实施本发明时可以把各模块或单元的功能在同一个或多个软件或硬件中实现。For the convenience of description, each part of the above-described device is divided into various modules or units by function and described separately. Of course, when implementing the present invention, the functions of each module or unit can be implemented in the same or multiple software or hardware.

本发明实施例中还提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现上述网络编程技术处理方法。Embodiments of the present invention also provide a computer-readable storage medium. The computer-readable storage medium stores a computer program. When the computer program is executed by a processor, the above-mentioned network programming technology processing method is implemented.

具体实施可以参见路由器节点上,或者在作为网络的入口路由器节点时,网络编程技术处理方法的实施。For specific implementation, please refer to the implementation of the network programming technology processing method on the router node, or when it serves as the entrance router node of the network.

综上所述,本发明实施例提供的技术方案中,是基于数据面的新的网络可编程的实现机制的针对DDOS,在入口节点进行流量的标记,在事先不确定的某个网络节点,根据标记的内容进行处理。不需要指定相关的Function必须在哪个Location进行执行;支持在网络中执行若干个任务,但是不指定具体的执行位置,各个节点根据自身的算力情况决定是否执行相关的任务。To sum up, the technical solution provided by the embodiment of the present invention is based on the new network programmable implementation mechanism of the data plane for DDOS. Traffic is marked at the entry node and at a certain network node that is not determined in advance. Process according to the marked content. There is no need to specify the Location where the relevant Function must be executed; it supports the execution of several tasks in the network, but does not specify the specific execution location. Each node decides whether to execute related tasks based on its own computing power.

可以充分利用网络中的算力能力,节点可以根据自身算力情况,决策是否进行相关的处理,提供了一种易于实现的在网安全(网络内生安全)机制,可以提供更好的DDoS防护能力。It can make full use of the computing power in the network. Nodes can decide whether to perform relevant processing based on their own computing power. It provides an easy-to-implement online security (network endogenous security) mechanism that can provide better DDoS protection. ability.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention may be provided as methods, systems, or computer program products. Thus, the invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, magnetic disk storage, optical storage, etc.) embodying computer-usable program code therein.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing device produce a use A device for realizing the functions specified in one process or multiple processes of the flowchart and/or one block or multiple blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, the instructions The device implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operating steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device. Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the invention. In this way, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and equivalent technologies, the present invention is also intended to include these modifications and variations.

Claims (17)

1. A method for processing a network programming technique, comprising:
the router node receives a message containing a network programming technique code indicating that one or more corresponding tasks need to be performed;
the router node determines the load state of the processing chip corresponding to the message input interface;
and when the load is larger than a preset value, the message containing the network programming technology code is not processed, and when the load is smaller than the preset value, the message containing the network programming technology code is processed.
2. The method of claim 1, wherein the router node determines a load state of the processing chip corresponding to the packet input interface with reference to one or more of the following parameters:
the current utilization rate of the processing chip corresponding to the message input interface;
the number of messages which are processed by the processing chip corresponding to the message input interface at present;
and the flow rate of the message currently being processed by the processing chip corresponding to the message input interface.
3. The method of claim 1, wherein processing the message containing the network programming technique code comprises:
the executed processing corresponds to one or more tasks to be executed, and the one or more tasks have corresponding task marks in the data message;
modifying the label of the executed process corresponding task, modifying the label of the corresponding one task if the router node executes the one task, and modifying the corresponding plurality of task labels if the router node executes the plurality of tasks.
4. The method of claim 1, wherein when processing the message containing the network programming technique code, if the information carried in the message indicates that the relevant task is to perform distributed denial of service attack analysis, further comprising:
Analyzing one or more network flows according to the acquired one or more flow model flow models, and determining whether a distributed denial of service attack exists;
and when the distributed denial of service attack exists, carrying out denial of service attack processing on one or more abnormal flows according to the preset strategy of the router.
5. The method of claim 4, wherein denial of service attack processing is performed on one or more abnormal traffic according to a predetermined policy of the target router, comprising:
performing random packet loss operation and/or marking operation on one or more abnormal traffic,
if the marking operation is performed, the data message needs to include a suspicious or abnormal mark for indicating whether the message is a suspicious or abnormal message.
6. The method of claim 5, wherein performing a random packet loss operation or a marking operation further comprises:
if the traffic is judged to be abnormal, modifying a task identifier corresponding to the task which indicates that the abnormality detection task is expected to be performed, and indicating that the abnormality detection task of the message is completed.
7. The method of claim 4, wherein determining whether a distributed denial of service attack exists is determining that a distributed denial of service attack exists when it is monitored that network traffic for a particular protocol is greater than a threshold traffic for the protocol in a traffic model.
8. The method of claim 4, wherein the marking operation, when performed, further comprises:
if the message is judged to be abnormal, the related message is marked as suspicious or abnormal.
9. The method of claim 4, wherein the obtaining a traffic model for one or more router nodes comprises:
each router node counts the flow model of the own node and stores the flow model on each router;
each router node obtains traffic models for reference from other locations and saves on the router.
10. A method according to claim 1 or 3, characterized in that the task labels encoded by the network programming technique are stored in a hop-by-hop extension header HBH or SRv extension header in the extension header of an IPv6 message.
11. A method for processing a network programming technique, comprising:
at an ingress router node of the network, the message is inserted in a format encoded by the network programming technique, the label representing a corresponding operation corresponding to one or more tasks desired to be performed in the network.
12. The method of claim 11, wherein the inserting of the tag is performed in a hop-by-hop extension header HBH of the IPv6 message or in a SRv extension header.
13. A router node, comprising:
a processor for reading the program in the memory, performing the following process:
receiving a message containing a network programming technique code indicating that one or more corresponding tasks are to be performed;
determining the load state of a processing chip corresponding to the message input interface;
when the load is larger than a preset value, the message containing the network programming technology code is not processed, and when the load is smaller than the preset value, the message containing the network programming technology code is processed;
and a transceiver for receiving and transmitting data under the control of the processor.
14. A router node, comprising:
the receiving module is used for receiving a message containing a network programming technology code, wherein the network programming technology code indicates that one or more corresponding tasks need to be executed;
the load module is used for determining the load state of the processing chip corresponding to the message input interface;
and the processing module is used for not processing the message containing the network programming technology codes when the load is larger than a preset value, and processing the message containing the network programming technology codes when the load is smaller than the preset value.
15. A router node, comprising:
a processor for reading the program in the memory, performing the following process:
when the message is used as an entry router node of a network, the message is inserted according to a format coded by a network programming technology, the mark represents corresponding operation, and the operation corresponds to one or more tasks expected to be executed in the network;
and a transceiver for receiving and transmitting data under the control of the processor.
16. A router node, comprising:
and the marking module is used for carrying out marking insertion on the message according to the format coded by the network programming technology when the message is used as an entry router node of the network, wherein the marking represents corresponding operation, and the operation corresponds to one or several tasks expected to be executed in the network.
17. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a processor, implements the method of any of claims 1 to 12.
CN202210546405.XA 2022-05-18 2022-05-18 Network programming technology processing method, system and storage medium Pending CN117134925A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210546405.XA CN117134925A (en) 2022-05-18 2022-05-18 Network programming technology processing method, system and storage medium
PCT/CN2023/094748 WO2023222028A1 (en) 2022-05-18 2023-05-17 Network programming technology processing method and system, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210546405.XA CN117134925A (en) 2022-05-18 2022-05-18 Network programming technology processing method, system and storage medium

Publications (1)

Publication Number Publication Date
CN117134925A true CN117134925A (en) 2023-11-28

Family

ID=88834692

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210546405.XA Pending CN117134925A (en) 2022-05-18 2022-05-18 Network programming technology processing method, system and storage medium

Country Status (2)

Country Link
CN (1) CN117134925A (en)
WO (1) WO2023222028A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119966927B (en) * 2025-04-10 2025-06-27 上海壁仞科技股份有限公司 Communication method, device, management node, switch and communication management system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9369371B2 (en) * 2012-10-05 2016-06-14 Cisco Technologies, Inc. Method and system for path monitoring using segment routing
CN111510386B (en) * 2019-01-30 2023-06-20 华为技术有限公司 Method and device for processing message
CN112187649B (en) * 2019-07-01 2023-04-18 华为技术有限公司 Message forwarding method, message processing method and device
CN112751826B (en) * 2020-12-07 2024-04-30 中兴通讯股份有限公司 Method and device for forwarding flow of computing force application
CN114500453B (en) * 2022-03-31 2022-06-17 北京邮电大学 Identification analysis method and device

Also Published As

Publication number Publication date
WO2023222028A1 (en) 2023-11-23

Similar Documents

Publication Publication Date Title
US10972391B2 (en) Full-path validation in segment routing
US11343182B2 (en) System and method for dataplane-signaled packet capture in IPV6 environment
US10778572B2 (en) System and method for dataplane-signaled packet capture in a segment routing environment
US11711288B2 (en) Centralized error telemetry using segment routing header tunneling
US9060019B2 (en) Out-of band IP traceback using IP packets
WO2019210769A1 (en) Explicit routing with network function encoding
US9118719B2 (en) Method, apparatus, signals, and medium for managing transfer of data in a data network
US7725938B2 (en) Inline intrusion detection
US7636305B1 (en) Method and apparatus for monitoring network traffic
KR101615045B1 (en) Intelligent security networking system
CN1938982B (en) Method and apparatus for preventing network attacks by authenticating internet control message protocol packets
WO2023222028A1 (en) Network programming technology processing method and system, and storage medium
CN114826697A (en) Information reporting method, data processing method and device
CN113556345B (en) Message processing method, device, equipment and medium
CN100393047C (en) System and method for linkage between intrusion detection system and network equipment
CN106067864B (en) Message processing method and device
CN115442288B (en) SRv6 network data packet inspection method and device
Barokar et al. Identification of the Real Source of DDOS Attack by FDPM in IP Traceback System
JP2004096246A (en) Data transmission method, data transmission system and data transmission device
CN118200232A (en) Synchronization of firewall tables using Ethernet Virtual Private Network (EVPN) routing types
CN117439947A (en) Exception routing processing method, device and readable storage medium
CN115941223A (en) BGP Flowspec route issuing method and device, storage medium and electronic equipment
Torney et al. New Integrated Defence and traceback approach for Denial of service attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination